The Mastodon "Remote follow" feature could be so easily used to phish the average Mastodon user into signing into a fake instance.

⚠️ Important security reminder: Always make sure the URL shows your "home instance" when logging in.

@fj Isn't this an area where customizing the way Mastodon looks based on a per-user cookie (something the fake site can't see) would help?

@fj you're never prompted to log in though, well at least not if you're already logged in.

Pro tip to get around it, copy paste URL of profile into the search field to find the person you want to follow.

@fj this is what password managers excel at. They won't fill in a password on a different instance (or any phishing site) and you can't enter a password because you don't know it.

@fj Keen thought sir, thanks for the reminder. Even then, don't trust urls — manually type them.

@szbalint @fj It won't save you if your 2FA code get phished as well

@fj Better yet – don't use the "remote follow" flow. It's faster to paste the URL into the search bar on your home instance anyway.

@nolan @fj Now that qvitter has this too (pasting the account into the people search), the old remote follow flow remains there mostly as a backup.

@fj also avoid buying domains to run instances here containing the letter l since, l's look like 1s (ones), you may be fishy fishied

@fj Tell that to people who defends Unicode in URLs

@fj If you want to follow someone, or boost something you only have a direct link on their instance to, you can just paste the URL into the search field in your instance and the right thing will happen 🙂

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!